What is the difference between DMARC none, quarantine, and reject?

Question

DMARC policy levels control what happens when emails fail authentication.

**p=none (Monitor only)**
- Failing emails are delivered normally
- You receive reports showing authentication results
- Use this to discover all legitimate email sources
- Not a security measure — only for monitoring
- Google requires at least p=none

**p=quarantine (Soft enforcement)**
- Failing emails go to the spam/junk folder
- Recipients can still find and read them
- Use `pct=` to gradually roll out (e.g., pct=25 means 25% quarantined)
- Required for BIMI support
- Good middle ground during transition

**p=reject (Full enforcement)**
- Failing emails are blocked entirely
- Sending server receives a bounce (550 error)
- Maximum protection against spoofing
- Make sure ALL legitimate sources pass before enabling
- Best for high-security domains

**Recommended rollout path:**
```
Week 1-4:  p=none         → Monitor and discover senders
Week 5-6:  p=quarantine; pct=10  → Test with 10%
Week 7-8:  p=quarantine; pct=50  → Increase to 50%
Week 9-10: p=quarantine; pct=100 → Full quarantine
Week 11+:  p=reject       → Full protection
```

**Current adoption (2026 estimates):**
- 85% of domains have DMARC records
- 45% still use p=none (monitoring only)
- 25% use p=quarantine
- 30% use p=reject

Generate your DMARC record: https://intodns.ai/tools/dmarc-generator
Check your current DMARC policy: https://intodns.ai

IntoDNS.AI · Accepted Answer

DMARC policy levels control what happens when emails fail authentication.

**p=none (Monitor only)**
- Failing emails are delivered normally
- You receive reports showing authentication results
- Use this to discover all legitimate email sources
- Not a security measure — only for monitoring
- Google requires at least p=none

**p=quarantine (Soft enforcement)**
- Failing emails go to the spam/junk folder
- Recipients can still find and read them
- Use `pct=` to gradually roll out (e.g., pct=25 means 25% quarantined)
- Required for BIMI support
- Good middle ground during transition

**p=reject (Full enforcement)**
- Failing emails are blocked entirely
- Sending server receives a bounce (550 error)
- Maximum protection against spoofing
- Make sure ALL legitimate sources pass before enabling
- Best for high-security domains

**Recommended rollout path:**
```
Week 1-4:  p=none         → Monitor and discover senders
Week 5-6:  p=quarantine; pct=10  → Test with 10%
Week 7-8:  p=quarantine; pct=50  → Increase to 50%
Week 9-10: p=quarantine; pct=100 → Full quarantine
Week 11+:  p=reject       → Full protection
```

**Current adoption (2026 estimates):**
- 85% of domains have DMARC records
- 45% still use p=none (monitoring only)
- 25% use p=quarantine
- 30% use p=reject

Generate your DMARC record: https://intodns.ai/tools/dmarc-generator
Check your current DMARC policy: https://intodns.ai

What is the difference between DMARC none, quarantine, and reject?

Detailed Answer

Check your domain now

Related Questions

How to setup DMARC?

Is DMARC required in 2026?

What is SPF, DKIM, and DMARC?